Results 51 to 75 of 139
Thread: SuperMicro IPMI Security
-
11-08-2010, 04:40 PM #51Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
True, but the fact it's there (in addition to the default "ADMIN/ADMIN" account is pretty strange. Just changing the main ADMIN password isn't enough, and it wouldn't surprise me if this was overlooked on some deployments. To be honest I didn't notice it until recently when I was messing around with IPMItools.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
11-08-2010, 04:44 PM #52Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 305
-
11-09-2010, 02:17 AM #53Web Hosting Evangelist
- Join Date
- Aug 2008
- Posts
- 536
-
11-09-2010, 02:59 AM #54
the "anonymous" account, by default, has full admin rights with no password. On some versions of IPMI you can delete this account, on other versions, all you can do is either change the password, or set the account access type to "no access". Either way, the default is very insecure.
IOFLOOD.com -- We Love Servers
Phoenix, AZ Dedicated Servers in under an hour
★ Ryzen 9: 7950x3D ★ Dual E5-2680v4 Xeon ★
Contact Us: sales@ioflood.com ★
-
11-09-2010, 04:13 AM #55Web Hosting Evangelist
- Join Date
- Aug 2008
- Posts
- 536
-
11-09-2010, 06:13 AM #56******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
clueless, wet behind the ears junior comp sci graduate who cribbed every single assigment and test who spends most of his time on twitfacespace.
all of the defenses were well known before the advent of the internet. seems like they've been forgotten.
they even make it harder to defend yourself. for example, the insistence on prohibiting deletion of "root", and the insistence that ssh has to be port 22. after all, the programmer knows what's best for you. not.
about the only thing you can do to defend such a poor implementation is by using an external device, or turn it off.
in one particular implementation of ipmi, the https channel is actually safer than the ssh channel. but only marginally so because the single difference is the ability to use a arbitary port. security by obscurity. not exactly a shining example of a best practise, but better than waiting for scans on port 22.Last edited by plumsauce; 11-09-2010 at 06:23 AM.
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
11-09-2010, 07:44 PM #57Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Rochester, NY
- Posts
- 77
How does Super Doctor III compare to IPMI
I do not have any servers, but was looking at buying an A+ 1U server to co-locate. Super Micro shows a system called Super Doctor III on all their motherboards pages. I assume this is different from IPMI.
Has anyone used this? How does it compare? As leaky? The motherboard I was looking at was H8DGU & does not show IPMI. Is this an Opteron trade-off? FYI, I favored this over Xeon, because the service I will be providing is massively parallel / HPC. My process could easily floor a minimum of 400 cores & 15k cores in some spots, not for very long though. This 24 core system seemed ideal, until I saw this thread.
-
11-09-2010, 08:12 PM #58Backup Guru
- Join Date
- Feb 2002
- Location
- New York, NY
- Posts
- 4,618
Scott Burns, President
BQ Internet Corporation
Remote Rsync and FTP backup solutions
*** http://www.bqbackup.com/ ***
-
11-09-2010, 11:08 PM #59Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
11-10-2010, 12:25 PM #60Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Rochester, NY
- Posts
- 77
Thanks bqinternet, I was looking at the page for the wrong board. The '-F' version has IPMI 2.0. The AS-1022G-NTF bare bones system, CompSource $827, does indeed use the '-F' version.
Looked at the Supero Doctor manual. Yes FastServ, it is an app on the server with a Windows Client. It also does not do much unless your server is also Windows based. Thanks for the clarification. No need for me to look any further at it.
-
11-10-2010, 02:59 PM #61Newbie
- Join Date
- Nov 2010
- Posts
- 12
I don't think the embedded impi microsystem would be able to run anything that could spam emails... its very limited in resources and not 'rootable' to my knowledge, even with access... It's possibly somebody is MAC spoofing and stole the IP to flood spam, as I'm sure spammers have learned to do, and an IMPI device would be the ideal candidate to 'kick off' the network to achieve this. Probably why you can't connect to it too.
Very simple to test for this ---physically unplug the impi and try to ping it, if it responds, you got yourself a spoofer.
-
11-10-2010, 05:40 PM #62WHT Addict
- Join Date
- Jul 2008
- Location
- Dallas, TX
- Posts
- 107
Originally Posted by FastServ
-
11-10-2010, 06:53 PM #63Backup Guru
- Join Date
- Feb 2002
- Location
- New York, NY
- Posts
- 4,618
Scott Burns, President
BQ Internet Corporation
Remote Rsync and FTP backup solutions
*** http://www.bqbackup.com/ ***
-
11-10-2010, 07:21 PM #64WHT Addict
- Join Date
- Jul 2005
- Posts
- 131
-
11-10-2010, 07:36 PM #65Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 305
-
11-11-2010, 01:31 PM #66WHT Addict
- Join Date
- Jul 2008
- Location
- Dallas, TX
- Posts
- 107
-
11-11-2010, 04:15 PM #67Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 2,197
-
11-11-2010, 06:21 PM #68Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
X8STI-F
PHP Code:# netstat -nalpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5120 0.0.0.0:* LISTEN 411/cdserver
tcp 0 0 0.0.0.0:5123 0.0.0.0:* LISTEN 445/fdserver
tcp 0 0 0.0.0.0:5988 0.0.0.0:* LISTEN 334/sfcbd
tcp 0 0 0.0.0.0:555 0.0.0.0:* LISTEN 242/webgo
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 453/stunnel4
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 393/adviserd
tcp 0 0 0.0.0.0:623 0.0.0.0:* LISTEN 286/
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 230/webgo
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 230/webgo
tcp 0 0 127.0.0.1:8765 0.0.0.0:* LISTEN 393/adviserd
tcp 1 0 127.0.0.1:38849 127.0.0.1:623 CLOSE_WAIT 230/webgo
tcp 1 0 127.0.0.1:34140 127.0.0.1:623 CLOSE_WAIT 230/webgo
tcp 1 0 127.0.0.1:38850 127.0.0.1:623 CLOSE_WAIT 230/webgo
tcp6 0 0 :::22 :::* LISTEN 375/dropbear
PHP Code:# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
12-05-2010, 09:05 PM #69WHT Addict
- Join Date
- Jul 2008
- Location
- Dallas, TX
- Posts
- 107
Did Supermicro ever follow-up about this?
-
12-06-2010, 07:25 AM #70Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 305
-
12-06-2010, 07:59 AM #71Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,178
Honestly I think it's best to just either put IPMI behind a firewall or to disable the switch ports unless you actually need access. Yes, it's going to cause another minute or two delay in an emergency situation, but I'd personally rather have that happen than have somebody potentially brute force a password and then be able to power down servers, or worse.
Spam is definitely a bad thing, but them potentially gaining full control over the IPMI Device could be much worse.█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,800 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
12-06-2010, 05:52 PM #72Backup Guru
- Join Date
- Feb 2002
- Location
- New York, NY
- Posts
- 4,618
Scott Burns, President
BQ Internet Corporation
Remote Rsync and FTP backup solutions
*** http://www.bqbackup.com/ ***
-
05-03-2011, 09:46 AM #73Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Found a compromised BMC on a X8SIL-F the other day. Interesting because it uses the SMASH and not a normal Bash shell.
Either way, turns out the guest account was being used as an SSH tunnel -- so that explains how some of you may have seen spam or other 'odd' activity originating from your BMC. This particular BMC attracted a multi-gigabit DDOS so they were certainly using it to piss somebody off, although we didn't see any spam reports.
Due to the extreme limitations imposed by SMASH I wasn't able to dig much further. But it does appear they did more than tunneling -- they managed to add other users that weren't visible in the web interface. In addition to this several parts of the web interface were malfunctioning (sensor readings) and they had somehow blocked the local network from access. I can only imagine they somehow got access to a normal shell to be able to do these things.
A firmware upgrade did not resolve this, it took a factory reset to get things back under control.
And before anyone jumps all over me for having an IPMI device on a public interface, it was a colo client no one of our own systems.Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
05-03-2011, 10:29 AM #74Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
Either way, turns out the guest account was being used as an SSH tunnel
Try the "shell" command
Code:ssh ADMIN@192.168.88.245 ADMIN@192.168.88.245's password: Auth User/Pass with PS...pass. ATEN SMASH-CLP System Management Shell, version 1.00 Copyright (c) 2008-2009 by ATEN International CO., Ltd. All Rights Reserved -> shell sh Change shell to sh # ls SFCB bin dropbear lib lost+found proc sys usr web SMASH dev etc linuxrc nv sbin tmp var wsman
Maxnet
Offering automated dedicated server provisioning software
-
05-03-2011, 11:11 AM #75Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
Similar Threads
-
Supermicro IPMI Issue
By XFactorServers in forum Colocation, Data Centers, IP Space and NetworksReplies: 9Last Post: 08-23-2010, 02:29 PM -
SuperMicro 's IPMI
By Peter-SexyWing in forum Colocation, Data Centers, IP Space and NetworksReplies: 16Last Post: 07-10-2010, 04:51 PM -
supermicro ipmi installation
By phactor in forum Systems Management RequestsReplies: 5Last Post: 04-02-2010, 02:57 PM -
Supermicro IPMI
By opax in forum Colocation, Data Centers, IP Space and NetworksReplies: 6Last Post: 04-29-2009, 12:13 PM -
Supermicro IPMI
By DevelopAl in forum Colocation, Data Centers, IP Space and NetworksReplies: 14Last Post: 03-10-2006, 02:17 PM